beNi and I have been talking a lot about some issues within Gmail where too much information is disclosed by AJAX and JSON. Alas, it has finally been proven to allow for information disclosure. The example he built is based off a tiny XSS hole (that requires user interaction) but any XSS hole will do, this is only a proof of concept. Click here to see his post on the topic.

This is the second time Google has had this issue (the first was found by Jeremiah Grossman over a year ago). It’s not a good idea to have sensitive information stored like this, but really, once you find XSS on a system it’s almost irrelevant. But from this point forward your contact list will be vulnerable every time an XSS exploit is found (of which there are probably hundreds on the site at the moment). Not to mention the other terrible things you can do to Google consumers once you have XSS on Google. Nice find, beNi!

This entry was posted
on Wednesday, March 14th, 2007 at 1:03 pm and is filed under XSS, Webappsec.
Responses are currently closed, but you can trackback from your own site.

And yes, once you found an XSS on a site like this one it is pretty irrelevant how data is stored. Maybe I should write some nice PoC for Yahoo - finding XSS holes is definitely easier there.

The other funny thing is that I found exactly the same hole in Hotmail/Live Mail as the one in Gmail discovered by Jeremiah Grossman. Only that is wasn’t the contact list but all the mails and the authorization token. That was over a month ago and they asked me again not to write about this one - it is supposed to take only a few days more.